graph-query
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating user-provided input (the 'target' extracted from natural language questions) into a command template:
python .claude/scripts/code_graph query <pattern> <target> --json. If the extracted target contains shell metacharacters and is not properly sanitized, it could lead to arbitrary command execution. - [EXTERNAL_DOWNLOADS]: The skill documentation lists dependencies such as
tree-sitter,tree-sitter-language-pack, andnetworkx. These are well-known, legitimate libraries used for code analysis and graph management, and the skill assumes they are already installed in the environment rather than downloading them at runtime.
Audit Metadata